{"id":50555234,"url":"https://github.com/alphasecio/krypton","last_synced_at":"2026-06-04T06:30:51.205Z","repository":{"id":359579100,"uuid":"1246685295","full_name":"alphasecio/krypton","owner":"alphasecio","description":"Google Cloud post-quantum cryptography readiness scanner.","archived":false,"fork":false,"pushed_at":"2026-05-22T13:54:50.000Z","size":437,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-22T18:54:58.982Z","etag":null,"topics":["gcp","google","google-cloud","post-quantum","post-quantum-cryptography","pqc","quantum"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alphasecio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"ko_fi":"alphasec","buy_me_a_coffee":"alphasec"}},"created_at":"2026-05-22T12:53:06.000Z","updated_at":"2026-05-22T13:58:19.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/alphasecio/krypton","commit_stats":null,"previous_names":["alphasecio/krypton"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/alphasecio/krypton","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasecio%2Fkrypton","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasecio%2Fkrypton/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasecio%2Fkrypton/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasecio%2Fkrypton/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alphasecio","download_url":"https://codeload.github.com/alphasecio/krypton/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alphasecio%2Fkrypton/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33893323,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-04T02:00:06.755Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gcp","google","google-cloud","post-quantum","post-quantum-cryptography","pqc","quantum"],"created_at":"2026-06-04T06:30:50.710Z","updated_at":"2026-06-04T06:30:51.199Z","avatar_url":"https://github.com/alphasecio.png","language":"Python","funding_links":["https://ko-fi.com/alphasec","https://buymeacoffee.com/alphasec"],"categories":[],"sub_categories":[],"readme":"# Krypton\n\n**Google Cloud Post-Quantum Cryptography (PQC) Readiness Scanner**\n\nKrypton inventories cryptographic assets across your Google Cloud environment and identifies configurations that are not ready for the post-quantum era. It produces a self-contained HTML report and a persistent SQLite database for trend tracking.\n\n![Krypton PQC Readiness Report](/static/krypton-pqc.png)\n\n\n## What it scans (cryptographic assets)\n\n| Module | Assets | Findings |\n|------------------|---|---|\n| **TLS Policies** | HTTPS and SSL Proxy load balancers | Missing SSL policy, legacy TLS (1.0/1.1), weak ciphers, suboptimal profiles |\n| **Certificates** | Classic SSL certs, Certificate Manager | Classical RSA/ECDSA keys (harvest risk), expiry warnings |\n| **KMS/HSM Keys** | Cloud KMS key versions | Classical RSA/EC keys, resources without CMEK |\n| **SSH Keys**     | Project and instance metadata keys, OS Login | RSA/ECDSA/DSA keys in metadata |\n\n\n## What it reports (PQC status)\n\n| Status | Meaning |\n|---|---|\n| **PQC Ready** | Already using ML-KEM or ML-DSA (Cloud KMS preview) |\n| **PQC Capable** | RESTRICTED + TLS 1.3 — optimally configured, PQC auto-enabled when Google ships it |\n| **Quantum-Safe** | AES-256 / HMAC — symmetric, quantum-resistant by design |\n| **Classical** | Strong today, vulnerable post Q-Day (harvest now, decrypt later risk) |\n| **Not Ready** | Weak or missing configuration, needs immediate attention |\n\n\n## Prerequisites\n\n- Google Cloud Shell (or any environment with `gcloud` authenticated)\n- ADC configured: `gcloud auth application-default login`\n- Python 3.9+\n\n\n## Setup\n\n### Installation\n\n```bash\ngit clone https://github.com/alphasecio/krypton\ncd krypton\nchmod +x setup.sh\n\n# Single project\n./setup.sh --project your-project-id\n\n# Org-wide\n./setup.sh --org your-org-id --billing-project your-project-id\n```\n\n`setup.sh` enables required APIs, grants minimum IAM roles to your active identity, and creates a Python virtualenv.\n\n### IAM roles granted\n\n| Role | Purpose |\n|---|---|\n| `roles/compute.viewer` | Load balancers, SSL policies, instances, project metadata |\n| `roles/certificatemanager.viewer` | Certificate Manager |\n| `roles/cloudkms.viewer` | KMS key rings, keys, versions |\n| `roles/storage.legacyBucketReader` | GCS bucket encryption metadata |\n| `roles/bigquery.metadataViewer` | BigQuery dataset encryption config |\n| `roles/cloudsql.viewer` | Cloud SQL instance CMEK status |\n| `roles/resourcemanager.organizationViewer` | Project enumeration (org mode only) |\n\n\n## Running\n\n```bash\nsource .venv/bin/activate\n\n# Scan a single project\npython krypton.py --project your-project-id\n\n# Scan all projects in an org\npython krypton.py --org your-org-id\n\n# Skip HTML report (DB only)\npython krypton.py --project your-project-id --no-report\n```\n\nEach run appends a new scan record to `krypton.db` and writes a timestamped HTML report:\n\n```\nkrypton.db\nkrypton_20260521_103000_report.html\n```\n\n\n## Report\n\nThe HTML report is fully self-contained — no external dependencies, works offline. It includes:\n\n- **Three summary cards**: Crypto assets breakdown, PQC status distribution, findings by severity\n- **Findings section**: All actionable issues, sorted by severity\n- **Crypto Assets section**: Complete cryptographic inventory grouped by module\n\n\n## Limitations\n\n- **No PQC-specific SSL policy attribute on Google Cloud** — Google does not yet expose ML-KEM key exchange as a customer-configurable SSL policy option. `PQC Capable` (RESTRICTED + TLS 1.3) is the closest achievable signal; actual PQC key exchange happens transparently at the GFE layer when Google enables it.\n- **Control-plane only** — Krypton reads Google Cloud API configuration. It does not perform active TLS handshakes or scan application-layer cryptography, container images, or IaC.\n- **KMS PQC algorithms** — ML-KEM and ML-DSA in Cloud KMS are in preview. `PQC Ready` findings will appear when these are in use.\n\n\n## Disclaimer\n\nKrypton is an independent open-source project with no affiliation to Google LLC or any other vendor. It is provided for educational and informational purposes only. Scan results may be incomplete, inaccurate, or out of date — do not rely on them as a substitute for a professional security assessment. The author accepts no liability for decisions made based on this tool's output. Use at your own risk.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falphasecio%2Fkrypton","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falphasecio%2Fkrypton","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falphasecio%2Fkrypton/lists"}